Home Content Details

Summary - AdviceTech Podcast 109 – Cyber Security Special

Produced By: Ensombl

Earn 0.30 CPD Points
Complete the quiz to earn 0.30 CPD Points

Article

Introduction

Cybersecurity has become one of the most pressing issues of our time. As organizations grapple with increasingly sophisticated threats in both the public and private spheres, professionals must combine technical knowledge with ethical responsibility. Fostering a culture of trust, competence, and social responsibility is paramount—not only for safeguarding client data but also for ensuring that broader communities, customers, and stakeholders remain well-protected.

In a recent conversation, Host Patrick Gardner spoke with Rob Dawson, an IT professional with extensive experience in workflow automation, managed IT services, and cybersecurity. Their dialogue traversed a range of topics from nostalgic tales of old technology to the complexities of the Australian Signals Directorate’s “Essential Eight” cybersecurity framework. This article synthesizes that discussion into a comprehensive look at how organizations, especially in regulated industries like law and finance, can uphold high standards of professionalism and ethics through robust cybersecurity practices.

What follows is an exploration of critical cybersecurity measures, strategies for organizational buy-in, the ethical duties IT professionals and business leaders must uphold, and how a simplified yet holistic approach can advance both security and efficiency. By weaving in Dawson’s insights and observations, along with references to how frameworks like the Essential Eight operate in practice, we’ll reveal an actionable roadmap to align technical rigor with ethical conduct.


1. The Evolving IT Landscape: From Old Surface Pros to AI

Before delving into cybersecurity and ethics, it’s helpful to understand the trajectory that brought many professionals to the digital age. For Rob Dawson, one of the more amusing anecdotes he shared was about his oldest piece of technology—a Surface Pro 3 with a cracked screen. Despite its wear, that decade-old device sometimes comes out of storage because it houses remnants of previous businesses and projects. In many ways, this anecdote is emblematic of how technology holds both historical and practical value: even outdated hardware can store critical data worth safeguarding.

However, while there is nostalgia in old tech, the present is squarely pointed toward artificial intelligence (AI) and automation. Dawson described how he frequently uses AI to generate executive summaries, sales proposals, or tender documentation. In a professional context, leveraging AI to transcribe and summarize client meetings or to quickly compile information into coherent proposals saves time, encourages productivity, and enhances clarity. Yet each time a new AI tool is introduced, it raises important ethical questions about data usage, privacy, and the potential for unintended consequences.

From an ethical standpoint, it is crucial for companies to:

  • Obtain informed consent from clients or counterparts whose conversations may be recorded or transcribed.
  • Ensure data security when employing AI-driven tools, particularly if the material is confidential or sensitive.
  • Maintain transparency with employees about AI usage and the exact boundaries of what data is processed.

These small steps keep teams grounded in the ethical implications of new technologies, underlining professionalism and respect for privacy.


2. Dawson’s Professional Journey: From Local Government to Managed IT

Rob Dawson’s path into IT was somewhat serendipitous. Initially aiming for a career in civil engineering, he found himself offered an IT traineeship in local government instead. There, managing technology for an organization with 1,500 users across multiple sites, he learned core skills that would shape his future. After moving into Managed Service Provider (MSP) work, he pivoted to document and content management, setting the stage for an eventual specialization in workflow automation and process optimization.

Following stints in Queensland and Sydney, Dawson settled into a partnership with Mertech (spelled “MYRTEC”), which formed part of his impetus to return to an in-office environment after years of working remotely. This professional trajectory reveals the ethical mindset that underpins robust IT support:

  • Servant leadership: Implementing solutions for the public sector taught Dawson the importance of accountability and reliability.
  • Regulated industry focus: Having a background in local government roles cultivates a deep respect for compliance, record-keeping, and transparency.

Both traits align well with an ethical foundation for cybersecurity. When professionals have a history of working in high-stakes, regulated environments, the norms of caution, diligence, and respect for privacy become second nature. This background made Dawson and his team at Mertech particularly adept at serving legal, accounting, finance, and NDIS-based organizations—sectors that handle highly sensitive data requiring rock-solid cybersecurity.


3. Simplify, Secure, and Develop: A Foundational Approach

During the conversation, Dawson cited three core principles that guide Mertech’s approach to managed IT: Simplify, Secure, and Develop. Each principle underscores not only a technical capability but also an ethical stance on how best to protect client data and maintain the integrity of systems.

  1. Simplify
    Modern organizations often suffer from “technology sprawl,” where multiple overlapping applications (e.g., Slack, Dropbox, Zoom, plus Microsoft 365 or Google Workspace) compound complexity. This sprawl can result in data scattered across numerous platforms—creating vulnerabilities and diluting accountability. The simpler your environment, the fewer points of entry for malicious actors.Ethical significance: Simplification helps eliminate confusion around where data is stored and who is responsible. A clearer record of data flows reduces the risk of negligence or oversight.
  2. Secure
    Once complexity is reined in, resources and attention can focus on thoroughly securing the remaining systems. If businesses try to secure every single application under the sun, costs can skyrocket, and thorough checks might be overlooked. A simpler, more consolidated suite of software makes implementing robust security measures feasible, which is where frameworks like the Essential Eight come into play.Ethical significance: Clients, employees, and regulators require assurance that data is guarded against threats. Security fosters trust and fulfills legal obligations to protect personal and financial information.
  3. Develop
    Finally, Dawson emphasizes development—applying automation and workflow efficiencies that truly unlock technology’s potential. The impetus is not just about preventing negative outcomes but also about generating positive value. When used responsibly, AI or process automation can enhance productivity, enabling staff to focus on more creative, strategic tasks.Ethical significance: By automating repetitive tasks, employees can focus on higher-level problem solving and client service. However, teams must address potential job displacement or changes in role scope with honesty, fairness, and transitional support.

4. Introducing the Essential Eight: A Baseline for Cybersecurity

In Australia, the Essential Eight is a government-endorsed baseline of cybersecurity controls. It began as guidance from the Australian Signals Directorate (ASD) in 2017, identifying the eight key strategies that prevent the most common forms of compromise. The Essential Eight is broken down by maturity levels (MLs):

  • ML1: Aimed at thwarting large-scale, random attacks (often called “spray and pray”).
  • ML2: Protects against more targeted attacks that involve social engineering.
  • ML3: Designed for high-stakes environments such as critical infrastructure or government systems dealing with state-sponsored threats.

Implementing the Essential Eight helps businesses improve their security posture. However, as Dawson points out, the Essential Eight alone does not cover everything (for instance, mobile device management and certain user training aspects). Nevertheless, it provides a strong foundation, especially for small to mid-sized firms in regulated industries like law or accounting.

Below is a concise overview of each control in the Essential Eight (with ethical considerations woven in):

  1. Application Patching
    • What It Is: Continuously update third-party software (e.g., Adobe Acrobat, web browsers) to fix identified vulnerabilities.
    • Why It Matters: Outdated software is a common entry point for attackers; patching reflects a commitment to due diligence and protection of sensitive data.
  2. Operating System (OS) Patching
    • What It Is: Regularly update the core operating systems (Windows, macOS, mobile OS) across devices.
    • Why It Matters: OS vulnerabilities can grant attackers direct access to hardware and networks. Swift OS patches uphold the ethical duty of consistent maintenance.
  3. Multi-Factor Authentication (MFA)
    • What It Is: Ensure all users logging into critical systems confirm their identity through more than just a password (e.g., code from an app).
    • Why It Matters: MFA significantly reduces the risk of unauthorized access. It is an ethical best practice to safeguard client and internal data.
  4. Restricting Administrative Privileges
    • What It Is: Limit the number of people with full administrative access; require separate admin accounts for tasks that truly demand elevated rights.
    • Why It Matters: An admin account with compromised credentials can allow attackers to seize or destroy vast amounts of data. Restricting privileges demonstrates responsibility in data governance.
  5. Application Control
    • What It Is: Block unauthorized or unapproved applications from running—especially from uncertain or temporary file locations.
    • Why It Matters: Malware often executes by disguising itself as a legitimate file. Strong application control underscores accountability, preventing employees from inadvertently running malicious files.
  6. Restricting Microsoft Office Macros
    • What It Is: Limit or block macros, the scripting functionality in Office files (particularly Excel).
    • Why It Matters: Macros can be weaponized to launch malware. This measure preserves user safety and reaffirms commitment to best practices.
  7. User Application Hardening
    • What It Is: Prevent scripts from running inside documents or files, such as PDF readers or web browsers.
    • Why It Matters: Like macros, embedded scripts pose hidden threats. Hardening these vectors is a proactive measure that aligns with minimal client data exposure.
  8. Regular Backups
    • What It Is: Frequently copy and store data offsite or in a third-party secure location, separate from daily operations.
    • Why It Matters: Ransomware often encrypts or destroys local data. Regular, segmented backups protect business continuity and fulfill ethical obligations to preserve essential records.

5. Beyond the Basics: Password Managers, Cloud Backups, and Human Behavior

Dawson’s conversation with Gardner covered best practices that complement the Essential Eight, such as using password managers (e.g., Keeper) and cloud backups. Importantly, while many assume Microsoft 365 automatically backs up their data, it is, in reality, more of a synchronization or replication service. If you accidentally delete a file—or if a malicious actor does—Microsoft does not retain that file permanently. This underscores the necessity of offsite backups:

  1. Password Managers
    • Password security remains a cornerstone of responsible cybersecurity. Modern password managers create unique, long, and complex passwords for each login, protecting against credential stuffing and other password-related breaches.
    • Professionalism and Ethics: Properly implemented password managers reduce human error and the likelihood of staff reusing personal passwords. It is a show of organizational integrity to systematically protect logins that grant access to sensitive client data.
  2. Cloud Backup Solutions
    • Tools that back up services like Microsoft 365 or Google Workspace to a third-party location must be encrypted and governed by strict access controls.
    • Professionalism and Ethics: Upholding data retention policies in line with industry regulations (e.g., seven-year retention for financial services, indefinite for certain legal documents) ensures businesses meet their compliance obligations.
  3. Human Behavior and Social Engineering
    • According to leading cybersecurity software companies, phishing emails still account for over 90% of initial intrusion attempts. On mobile devices, email apps can obscure an email’s full sender address, making it easier to fall for a malicious link.
    • Professionalism and Ethics: Ongoing education and training empower employees to recognize phishing attempts. Leaders must build a safe learning environment that encourages staff to report suspicious emails without fear of reprimand, furthering a culture of collective vigilance.

6. Insurance, Compliance, and Regulatory Considerations

Beyond frameworks like the Essential Eight, Dawson emphasized the crucial role of cyber insurance and compliance. Insurers, being risk underwriters, demand concrete proof of a company’s security posture before they will assume liability. A robust approach to meeting insurance requirements typically involves:

  • Documentation: Cyber insurers often provide a self-assessment checklist. Completing these forms accurately helps identify weaknesses.
  • Gap Analysis: Comparing a company’s current measures with insurer expectations highlights areas for immediate improvement, such as network segmentation or encryption.
  • Ongoing Audits: As threats evolve, so do insurance underwriters’ demands. Regular security assessments ensure businesses remain insurable year after year.

When organizations operate under licensees, as is common in financial services, the licensee often sets stringent cybersecurity standards. Those standards reflect not just insurer expectations but also legal guidelines from regulatory bodies like ASIC (Australian Securities and Investments Commission). Meeting those guidelines is a condition of ethical and legal compliance, ensuring the confidentiality and integrity of client financial data.


7. Measuring Progress: Tools and Techniques

Measuring cybersecurity improvements is no trivial task. Tools like Microsoft Secure Score help assess security baselines in Microsoft 365 and provide incremental improvements that administrators can implement. A few notable examples:

  • MFA Enforcement: The single biggest jump in Secure Score often comes from ensuring all users have multi-factor authentication in place.
  • Conditional Access: Advanced licensing tiers let you configure rules (e.g., geo-blocking logins from certain countries, or requiring multiple authentication steps when traveling).
  • External Sharing Restrictions: Limiting unrestricted file-sharing (e.g., anonymous SharePoint links) can provide an immediate boost to a tenant’s overall security posture.

Using such measurement tools instills a sense of accountability, aligning with the broader ethical imperative of transparency and ongoing improvement. Dawson suggests that organizations aim for a Microsoft Secure Score of at least 60 if they fall under regulated industries; though 50 might suffice for smaller entities, aiming higher helps ensure resilience in a volatile cyber climate.


8. Embedding an Ethical Cybersecurity Culture

No matter how advanced or carefully deployed the technology, humans remain the weakest link in cybersecurity. Dawson underscores a holistic approach, often summarized as people, process, and technology working in harmony.

  1. People
    • Training: Regular refreshers on phishing detection, password hygiene, and incident reporting.
    • Culture: Non-punitive reporting structures encourage employees to disclose potential mistakes or security lapses promptly and honestly.
  2. Process
    • Incident Response Plans: Detailed protocols for identifying, containing, and mitigating breaches.
    • Regular Policy Reviews: Update policies to align with new regulations or emerging threats.
  3. Technology
    • Automation: Streamline tasks to reduce the burden on staff, freeing time for critical thinking and thorough compliance checks.
    • Monitoring Tools: Real-time alerts (e.g., suspicious activity triggers or log-ins from unfamiliar IP addresses).

Fostering an ethical cybersecurity culture means ensuring that each layer complements the others. Employees who understand the moral and legal implications of compromised data are more likely to engage seriously with training and protocols. Company leaders who champion these ideals model behavior that resonates through the entire organization.


9. Professionalism and Ethics: A Continuous Commitment

Throughout the conversation, both Patrick Gardner and Rob Dawson returned to the notion that cybersecurity is never a “set and forget”. The complexity of current threats calls for ongoing diligence. Businesses must integrate professionalism and ethics at every level, from how they store decades-old data on a cracked Surface Pro to how they roll out advanced AI-driven workflow automation.

Key Ethical Imperatives

  1. Integrity in Representation
    • Always disclose to clients when AI tools are being used to summarize or generate documents, particularly for sensitive legal or financial tasks.
  2. Client-Centric Privacy
    • Strict compliance with data privacy regulations, ensuring third-party tools do not become gateways for data misuse.
  3. Continuous Learning
    • Cyber criminals evolve, and so must professionals. Learning about new frameworks, signing up for relevant certification courses, and attending conferences fosters an ethical standard of continuous improvement.
  4. Fair Collaboration
    • Recognize that cybersecurity measures can be intrusive. Balancing employee rights and organizational safety is a hallmark of ethical leadership. Containerized approaches to mobile device management, for instance, show respect for staff privacy.
  5. Transparency and Accountability
    • A robust ethical framework necessitates clear channels for reporting incidents, near-misses, or suspicious behaviors. This transparency upholds accountability at every tier of the organization.

10. Conclusion

Cybersecurity is as much about protecting data and complying with regulations as it is about upholding ethical standards of trust and service. In this evolving digital world—where AI has become ubiquitous, and threat actors continuously refine their strategies—staying informed is not optional. Professionals have a duty of care to ensure that data under their stewardship is handled responsibly, ethically, and effectively. Organizations must commit time and resources to implement frameworks such as the Essential Eight, while also going beyond those basics to address issues like mobile device security, password management, and social engineering risks.

Rob Dawson’s insights illustrate that the road to strong cybersecurity begins with a clear set of guiding principles. Simplify the technology stack wherever possible, secure each remaining layer diligently, and finally develop new efficiencies that harness the potential of AI and automation. This triad ensures not just the creation of a robust security perimeter, but the fostering of a corporate culture that values responsibility, transparency, and ethical conduct.

Ultimately, cybersecurity must be seen as an ongoing journey—one that demands vigilance, adaptability, and above all, integrity. By focusing on the interplay of people, process, and technology, and recognizing that each has an ethical dimension, businesses can align with best practices while maintaining the highest professional standards. From critical backups to well-structured administrative privileges, each decision ties back to the same foundational ethos: to protect and respect the data entrusted to them.


Accreditation Points Allocation:

0.10 Technical Competence

0.10 Regulatory Compliance and Consumer Protection

0.10 Professionalism and Ethics

0.30 Total CPD Points

Quiz

Complete the quiz to earn 0.30 CPD points.
1
2
1. Which of the following is a key component of the Essential Eight cybersecurity framework?

Nice Job!

You completed
Summary - AdviceTech Podcast 109 – Cyber Security Special

Unfortunately

You did not completed
Summary - AdviceTech Podcast 109 – Cyber Security Special
Webinar: Summary - AdviceTech Podcast 109 – Cyber Security Special by Ensombl-LMS